Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

New Speculative Execution Vulnerability Gives CISOs a New Reason to Lose Sleep

The vulnerability, dubbed SWAPGS, is an undetectable threat to data security, similar in some respects to Spectre and Meltdown.

Bogdan Botezatu, director of threat research at BitDefender, leans across the table in a hotel lobby coffee shop to make his point. "When you're a CISO, there is no single of vulnerability you're aware of that doesn't keep you awake at night." The new vulnerability his team of researchers found — the vulnerability they will reveal in a press conference this evening — is one that he says should definitely contribute to CISO insomnia.

The new vulnerability, dubbed SWAPGS by the BitDefender research team, is a speculative execution vulnerability that Botezatu says is similar in some respects to Spectre and Meltdown. "What we have done is to manipulate this instruction called SWAPGS in order to sample information from the realm of the operating system memory into the user space," he explains.

SWAPGS is an instruction that swaps the contents of a particular register with the contents of a specific memory location. The instruction is defined as a privileged instruction that should be available only to system software, such as a hypervisor. One of the things that makes the instruction dangerous when exploited is that it can provide rapid access to certain data structures used by the operating system kernel.

When the instruction is manipulated, Botezatu says, "This can lead to all sorts of trouble like leaking out information about passwords, encryption, keys, tokens, authentication, cookies, and other sensitive information that goes through the processor."

Like many of the other speculative execution exploits that have been found, SWAPGS doesn't allow the attacker to manipulate the data being stored in the memory location — it only allows for the contents of that memory location to be monitored. "You just poke the memory, and run a time-based attack. If it's something interesting, it's fine. If not, you have just lost 20 seconds and you need to go back to square one," Botezatu explains.

As with most of the other speculative execution attacks, Botezatu sees SWAPGS as something that could be a tool for patient nation-state actors, not finance-focused criminals. Criminal actors, he says, can simply launch repeated phishing attacks to get the information that might become available through SWAPGS.

Still, he points out, a speculative execution attack like SWAPGS is dangerous because it bypasses hardware-based protection and is undetectable by normal security packages. Furthermore, while BitDefender followed responsible disclosure and Microsoft has issued a Window patch for the vulnerability, Botezatu says, "We know that in enterprises, patch adoption is not something that happens overnight. That can take anywhere from one to 180 days, if you're lucky."

Related content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...